mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
4e16126b29
sysaccounts can now be used as a member for roles.
Example:
- name: Ensure role my-app role has sysaccount member my-app
iparole:
name: my-app role
sysaccount: my-app
action: member
New tests for the module:
tests/role/test_role_sysaccount_member.yml
162 lines
4.7 KiB
YAML
162 lines
4.7 KiB
YAML
---
|
|
- name: Test sysaccount
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
# It is normally not needed to set "become" to "true" for a module test.
|
|
# Only set it to true if it is needed to execute commands as root.
|
|
become: false
|
|
# Enable "gather_facts" only if "ansible_facts" variable needs to be used.
|
|
gather_facts: false
|
|
module_defaults:
|
|
ipaprivilege:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
iparole:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
ipasysaccount:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
|
tasks:
|
|
|
|
- name: Verify if role sysaccount member tests are possible
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin > /dev/null
|
|
RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa role-add-member --help)
|
|
kdestroy -A -c {{ krb5ccname }} > /dev/null
|
|
echo $RESULT
|
|
vars:
|
|
krb5ccname: "__check_ipa_role_add_member__"
|
|
register: check_role_add_member
|
|
|
|
- name: Execute tests
|
|
when: '"sysaccounts" in check_role_add_member.stdout'
|
|
block:
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure sysaccount my-app is absent
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|
|
|
|
- name: Ensure role "my-app role" is absent
|
|
iparole:
|
|
name: my-app role
|
|
state: absent
|
|
|
|
- name: Ensure privilege "my-app password change privilege" is absent
|
|
ipaprivilege:
|
|
name: my-app password change privilege
|
|
state: absent
|
|
|
|
# CREATE TEST ITEMS
|
|
|
|
- name: Ensure privilege "my-app password change privilege" is present
|
|
ipaprivilege:
|
|
name: my-app password change privilege
|
|
permission:
|
|
- "System: Change User password"
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
# TESTS
|
|
|
|
- name: Ensure sysaccount my-app is present with random password
|
|
ipasysaccount:
|
|
name: my-app
|
|
random: true
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure role "my-app role" is present with sysaccount member my-app
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
privilege: my-app password change privilege
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure role "my-app role" is present with sysaccount member my-app, again
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
privilege: my-app password change privilege
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role does not have sysaccount member my-app
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role does not have sysaccount member my-app, again
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role has sysaccount member my-app
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role has sysaccount member my-app, again
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role has zero sysaccount members
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: []
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role has zero sysaccount members, again
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: []
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure role my-app role does not have sysaccount member my-app, again
|
|
iparole:
|
|
name: my-app role
|
|
sysaccount: my-app
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure sysaccount my-app is absent
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|
|
|
|
- name: Ensure role my-app role is absent
|
|
iparole:
|
|
name: my-app role
|
|
state: absent
|
|
|
|
- name: Ensure privilege "my-app password change privilege" is absent
|
|
ipaprivilege:
|
|
name: my-app password change privilege
|
|
state: absent
|